Information Security Audit

Information Security Audit with Security Experts

Information security audit as a service aims examination of all assets related to information security on conformance to the selected criteria. The scope of an audit depends on the objective. A regular audit assesses different processes, services, products, information processing procedures, user practices, security of system configuration and environment, etc. The main purpose is verification whether security management system satisfies business objectives and how the existing controls adhere to the risk assessment, best practice standards and/or the other applicable regulatory compliance requirements.

Security audits, vulnerability assessments, and penetration testing are the main types of security checks. Each of these three types differs from the others by means of focus/purpose and approach. Security audit evaluates how well information system conforms to a set of established criteria. A vulnerability assessment focuses on analysis of an entire information system with the aim of discovering potential security weaknesses/leaks. Penetration testing focuses on the ability of the tested system to withstand against the hackers attacks.

Information security audit services generally include reviews of:

Authentication and access controls

Network security

User equipment security

Personnel security

Physical security

Application security

Software development and acquisition

Risk management

Business continuity and service recovery

Service providers – suppliers management

Data security

Security monitoring

Security awareness program

The customer provides the appropriate descriptions, the regulatory documents, and the means of interviewing the key personnel. Documentation includes the policies, procedures and checklists that define and/or support IT controls. The interviews and walkthroughs conducted with the key personnel aim to validate adherence to the documented policies and procedures, as well as to corroborate the practices described during the interview process.

Objectives:

Audit of the entire data security system

Security audit of the networks and selected components, data storage systems, servers, etc., which are business-critical for the customer

Identification and evaluation of risks and mitigation of security vulnerabilities

Definition of cost-efficient security mechanisms

Ensuring fulfilment of the legal requirements and conformance to the international standards

Minimization of negative impacts caused by security incidents

Reporting:

Information security audit results are provided as a comprehensive report which normally contains

Introduction

Executive summary

Remediation action plan

Detailed audit results that can include with respect to the particular objectives: